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i, Objective and recommendation 


1.1. The objective of this report is for the Audit & Risk Committee to 
review recommended updates to the Corporate Risk and 
Opportunity Register, following the latest iterations of the 
Corporate Risk Reviews. 


1.2. There have been two iterations of the corporate risk reviews since 
the Committee last met. 


1.3. The Audit & Risk Committee are recommended to note the report 
and the decisions taken by the Risk & Governance Board as a 
result of these reviews. 


2. Developing a common understanding 


2.1. At the March meeting, the Risk and Governance Board agreed the 
following: - 


a) To dormant R88 (Future Role and Structure of the ICO) and to 
develop an opportunity with regard to DP Reform. 


b) To de-escalate R86 (Political & Economic Environment) to the 
directorate register. The risk owner will monitor and escalate 
the risk should external factors cause an increase in likelihood 
or impact of this risk. 


c) To review the articulation of R83 (Staff Wellbeing and Welfare) 
as an overall staff wellbeing risk as opposed to being only a 
Covid focused risk. Risk ownership will transfer to Sarah Lal, 
Director of People Services. 


2.2. The following recommendations were agreed at the April Risk and 
Governance Board:- 


a) To rearticulate R81 (Management Board Resilience) to cover the 
Senior Leadership as a whole. It was also agreed that the 
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3.2. 


3.3. 


existing risk rating be reduced from 9 to 6 (likelihood 2 x 3 
impact) as it was recognised that whilst the existing controls 
reduce the likelihood of the risk to a 2, the impact remains the 
same. Ownership of this risk transferred to Sarah Lal, Director 
of People Services 


b) To de-escalate R87 (International Position) to Directorate risk 
register level due to this risk achieving its target score. The risk 
owner will monitor and escalate the risk should external factors 
cause an increase in likelihood or impact of this risk. 


C 


ed 


R21 (Cyber Security) was reviewed in light of changes in the 
external environment and it was agreed that the likelihood for 
the gross risk rating be revised to 20 (likelihood 4 x 5 impact) 
and the current risk rating be increased to 9 (likelihood 3 x 3 
impact). 


d 


a 


In light of the increasing profile and expectations of our SME 
products and services, the gross risk rating for R72 (SMEs) has 
been increased from 12 to 15 (likelihood 3 x 5 impact). 


e) The Board agreed to rearticulate R4b (Capability) and R92 (ICO 
Guidance) as Opportunities as a result of the new risk appetite 
level of “hungry” within these business areas agreed by 
Management Board. 


Matters to consider to achieve objective 


The risk description, existing controls, future planned actions and 
risk scores were reviewed and amended as appropriate. 


The Risk and Governance Directorate has recently appointed 
Caroline Robinson as Risk & Business Continuity Manager. Caroline 
started in this role on 21 March. Part of Caroline’s role will be to 
provide further assurance within these areas by improving the 
ICO’s existing risk management framework so that it aligns with 
the business planning process, finalising the business continuity 
plan and incident response plans to minimise the impact to the ICO 
of an emergency or incident and to raise the profile of Risk and 
Business Continuity as a whole across the ICO by embedding a 
better understanding of risk management and business continuity 
across the ICO. This includes identifying risk champions within 
teams and providing training in both these areas. 


The tables below inform the Audit and Risk Committee on progress 
against key risks, please note for threats the highest rated are 
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highlighted in the highest rated table and for opportunities the 
lowest scoring is highlighted. This is because the scoring 
mechanism is reversed for threats and opportunities (threat risks 
we wish to reduce the score, opportunity risks we wish to increase 
the score). Annex B shows a heat map of the threats and 
opportunities. 


Table 1: Highest Rated Corporate Risks 


Ref | Type Risk Title Rating Direction 
R4a | Threat | Capacity Static 6 
O3 Opp’ty | Expectations Gap Static © 
04 Opp’ty | Capability (Skills & New 

Knowledge) 
R73 |Threat | Compliance Culture Static 6 
Table 2: Risk Watch List 

Ref | Type Risk Rating Rating Direction 
R46 | Threat | Financial Resilience Static oO 
R83 | Threat | Staff Welfare and Wellbeing Static Oo 
R84 | Threat | Major Incident Static oO 
R61 | Threat | Litigation Resource Static << 
R72 | Threat | SMEs Static << 
R88 | Threat | Future role and structure of Static © 

ICO 
R89 | Threat | Compensation Static << 
Areas for challenge 
4.1 Do the Committee agree with the decisions of the Risk & 
Governance Board and the recommended changes to the Risk & 
Opportunity Register? 
4.2. Are there any other risks the Committee think should be reviewed 


in light of the internal and external environment? 
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Communications considerations 


5.1. Risk owners will need to be informed of any recommended 
changes to corporate risks from the Committee. The Risk & 
Business Continuity Manager will inform risk owners accordingly. 


6. Next steps 
6.1. The next steps for this work are: 


e Inform risk owners of any amendments emerging from the 
Audit & Risk Committee. 


e Update the risk register. 


Author: Caroline Robinson 
Consultees: Chris Braithwaite, Joanne Butler, Louise Byers 
List of Annexes: Annex A - Risk Heat Map 


Annex B - Corporate Risk and Opportunity Register 


Publication decision: This report can be published internally without 
redactions 


Outcome reached: Report noted 
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Annex A: Risk Heat Map 


Very high 


Likelihood/ probability 


Medium 


R4a: Capacity 

R4b: Capability 

R21: Cyber Security 

R26: Improving productivity 

R46: Financial Resilience 

R61: Litigation Resource 

R72: SMEs 

R73: Compliance Culture 

R81: Management Board 

Resilience 

e R83: Staff Wellbeing 

e R84: Major Incident 

e R85: Managing ICO 
Reputation 

e R88: Future Role and 
structure of ICO 

e R89: Compensation 

e R90: Regulatory Action & 

Activity 

R92 ICO Guidance 

R93: Online Safety 

03: Expectations Gap 

O2: Service Excellence 


Impact 


Note: scores for opportunities are the inverse of scores for risks and should travel from low to high as the opportunity is exploited. So opportunities in the green section of 


the heat map are being exploited poorly and opportunities in the red section are being exploited well. 
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